LOUISVILLE - DerbyCon - Saturday afternoon, SecurityWeek sat down with Ryan Sevey, an information security consultant for a utility company, who gave a talk at DerbyCon on security solutions for Small and Mid-Size Businesses (SMBs), with a focus on “Mom and Pop” operations.

According to the U.S. Census, there are 27 million SMBs in the U.S., and security has shown to be a challenge to them for a number of common reasons. When Sevey worked as a consultant, he constantly came upon SMBs with lacking or completely missing security programs, and would hear the same logic time and tim again as to why this was the case.

Some organizations would say that cost is the reason, as in security is just too expensive. Others would comment on how they didn’t need security because they have nothing of interest for the criminal element online. The “it won’t happen to me” mindset is seriously common in the SMB space, and yet they are often the most common target, and the lack of security makes them the easiest.

Sevey mentioned several things that SMBs can do to increase their level of security, which can also save the small business owner money in the long term. The first item on the list is a risk assessment. The assessment doesn’t have to be perfect, and there are plenty of resources online to help the business get started. An assessment should also include an information classification process, that allows the organization to determine the types of information that are important, where this data is on the network, and who or what has access to it. From there, an Accessible Use Policy (AUP) should be written, as well as policy related to business continuity and disaster recovery.

Often the SMB can’t afford their own IT staff, but they should get in the habit of checking on their vendors, and remember that different jobs require different consultants or firms. Because consultants are expensive, and money is always an issue with in an SMB, it isn’t uncommon for the same consultancy to do all technical projects, when sometimes that just isn’t conducive to a well-rounded security program.

The other major point he stressed in his talk is that security shouldn’t be something that comes after the fact, or something that is only there so that a box can be checked on a compliance form. Compliance doesn’t equal security, but unfortunately that is how some SMBs view it.

Lastly, Sevey mentioned pfSense, a great open source tool that SMBs can use to help with several security needs. The utility offers several valuable tools from VPN and routing, to firewall abilities. A full feature list and download can be seen here.

The vendor area at DerbyCon is mostly a casual spot, where there isn’t a hard sell and the booth teams are attendees themselves for the most part. Admittedly, seeing vendors such as Rapid7 and Symantec came as no surprise, but a booth manned by the US Army’s Intelligence and Security Command (INSCOM) Cyber Brigade was a bit unusual.

However, the idea that the government’s recruitment efforts, which have been somewhat successful during Black Hat and not so successful during DEF CON, would reach to the smaller, regional events isn’t shocking by any stretch. According to representatives on site at DerbyCon, there are also plans to attend OWASP in Austin, Texas and Hacker Halted next month in Miami.

Steve Ragan is a security reporter and contributor for SecurityWeek. Prior to joining the journalism world in 2005, he spent 15 years as a freelance IT contractor focused on endpoint security and security training.